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TXTHE CLAIMS: 
What is claimed is; 

1. (Cancelled) 

2. (Currently amended) The computer-implemented method of claim 31, wherein 
the severity levels are calculated based on at least one of the number of event sets within each of 
the groups, the source attribute of the event sets within each of the groups, the target attribute of 
the event sets within each of the groups, and flie event category attribute of the event sets within 
each of the groups. 

3 . (Currently amended) The computer-implemented method of oloim h claim 3 L^wherein 
the events include at least one of a web server event, an electroruc mail event, a Trojan horse, 
denial of service, a virus, a network event, an authentication feilure, and an access violation, 

4. (Currently amended) Tht^ rtntnpnter-lmpleTnent^ method of rfa«9ftr4T claim 3L farther 
comprising: 

calculating the threshold value based on at least one of the source attribute of the event 
sets within the group, the target attribute of the event sets within the group, the event category 
attribute in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group. 

5. (Currently amended) Th^ rnfmpiiter-implftrnftntftd method of oloim L claim 3L w herein 
the target attribute represents one of a computer and a collection of computers. 

6. (Currently amended) The computer-implemented method of olnim 1, claim 31, wherein 
the source attribute represents one of a computer and a collection of computers. 

7. (Currently amended) The computer-implemented method of oloim - l : claim 3 1 ^fa rther 
comprising; 
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aggregating a subset of the ^ups into a combined group. 
8-11 (Cancelled) 

12. (Currently amended) The computer program product of olaim 11, claim 34, wherein the 
severity levels are calculated based on at least one of the number of event sets within each of the 
groups, the source attribute of the event sets within each of the groups, the target attribute of the 
event sets within each of the groups, and the event category attribute of die event sets within 
each of the groups. 

1 3 . (Currently amended) The computer program product of ^m I h claim 34. wherein the 
events include at least one of a web server event, an electronic mail event, a Trojan horse, denial 
of service, a virus, a network event, an authentication failure, and an access violation. 

14. (Currently amended) The computer program product of oloim 11, claim 34. w herein the 
computer-readable instructions further include: 

sixth instructions for calculating the threshold value based on at least one of the source 
attribute of the event sets within the group, the target attribute of the event sets within the group, 
the event category attribute in each event set of the group, and the number of attributes in each 
event set of the group that are held constant across all of the event sets in the group. 

1 5. (Currently amended) The computer program product of claim 1 1, claim 34, w herein the 
target attribute represents one of a computer and a collection of computers. 

1 6. (Currently amended) The computer program product of oloim 11, claim 34^w herBin the 
source attribute represents one of a computer and a collection of computers, 

17. (Currently amended) The computer propram product of oloim 1 1. claim 34> wherein the 
computer-readable instructions further include: 

seventh instructions for aggregating a subset of the groups into a combined group. 
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18-21 (Cancelled) 

22. (Currently amended) The data processing system of claim 21, claim 37, wherein the 
severity levels are calculated based on at least one of the number of event sets v^dthin each of the 
groups, the source attribute of the event sets within each of the groups* the target attribute of the 
event sets within each of the groups, and the event category attribute of the event sets within 
each of the groups. 

23. (Currently amended) The data processing system of olaim2h claim 37> wherein the 
events include at least one of a web server event, an electronic mail event, a Trojan horse, denial 
of service, a virus, a network event, an authentication failure, and an access violation, 

24. (Currently amended) The data processing system of claim 31, claim 37. wherein the 
processing unit executes the set of instructions to perform the act of; 

calculating the threshold value based on at least one of the source attribute of the event 
sets within the group, the target attribute of the event sets Avithin the group, the event category 
attribute in each event set of the group, and the niunber of attributes in each event set of the 
group that are held constant across all of the event sets in the group* 

25. (Currently amended) The data processing system of claim 31, claim 37. w herein the 
target attribute represents one of a computer and a collection of computers. 

26. (Currently amended) The data processing system of claim 21, claim 37, wherein the 
source attribute represents one of a computer and a collection of computers- 

27. (Currently amended) The data pmceaRing system of olnim 21, claim 37. wherein the 
processing unit executes the set of instructions to perform the act of: 

aggregating a subset of the groups into a combined group. 

28-30 (Cancelled) 
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31. (Currently amended) A computer-implemented m ethod in a data procggsing sygtein for 
rennrring security situation, comnriaitig the compute r-im plemented steps q£ - Tho oomputor 
impl e m e ntod tn g thod of oloim U fUrtber oomprioing: 

a first correlation server in a hierarchy of correlation servers, logging eventa bv Storing 
event attributes as an event set wherei n each event set includes a source attribute, a target 
attribute and an event categotv attribute: 

claasifving events as groups bv aggregating even ts with at least one attribute within the 
event set as an identical value: 

calculating a respective severity level for each of the groups: 

calculating a delta severity for each group from the respective severity level and a 
respective prior severity level: 

for each group having a non^zero delta severity, propagatin g the respective delta severity 
to a higher-level correlation server: 

receiving, in the higher-level correlation server, a plurality of delta packets firom a 
plurality of lower-level correlation servers that include the first correlation server, wherein each 
delta packet contains the respective delta severity for each group of the respective lower-level 
correlation server that has a non-zero delta severity; 

performing a first mathematical operation on the plurality of delta packets to form a new 
delta packet; 

if the higher-level correlation server is the top level of the hierarchy of correlation 
servers, performing a second mathematical operation on the new delta packet and a stored 
severity packet to form a new severity packet; and 

if the higher-level correlation server is not the top level of the hierarchy of correlation 
servers, propagating the new delta packet to a higher-level correlation server. 

32. (Previously presented) The computer-implemented method of claim 3 1 > wherein the first 
mathematical operation and the second mathematical operation are each one of addition, 
arithmetic mean, and^ge^etric mean. 
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33. (Previously presented) The computer-impleniented method of claim 3 1 > further 
comprising presenting to an operator each group which has a respective severity value in the new 
severity p acket that is greater than a respective threshold. 

34. (CuirenUy amended) A eomnuter p rogratn product comprising: The oomputor program 
p-oduot of olaim 11, furthor oompriaing iuptruotions for: 

a recordable-tvpe media having computier-readable instruction s including 

first instructions, in a first correlation server in a hierarchy of correlation servers, for 
logging events bv storing event attributes as an ev mt set, wherein each event set includes a 
source attribute, a target attribute and an eve nt category attribute: 

second instructions for classifying events as groups bv aggreg ating events with at least 
one attribute within the ervent set as an identical value: 

third instructions for calculating a severitv level for each of th e groups: 

fourth instructions for calculating a delta severity for each group fl-om the T^spective 
severitv level and a prior severitv level: and 

fifth instructions for propagating, for each group having a non-zero delta severity^ the 
delta severitv to a highe r-level coirelation server, 

sixth instructions for r eceiving^ in the higher-level correlation server, a plurality of delta 
packets from a plurality of lower-level correlation servers that include the first correlation server, 
wherein each delta packet contains the respective delta severity for each group of the respective 
lower-level correlation server that has a non-zero delta severity; 

seventh instructions for p erfonning a first mathematical operation on the plurality of 
delta packets to form a new delta packet; 

if the data processing system is the top level of the hierarchy of servers, eighth 
instructions for p erforming a second mathematical operation on the new delta packet and a 
stored severity packet to form a new severity packet; and 

if the data processing system is not the top level of the hierarchy of servers, ninth 
mstnictions for^p ropagating the new delta packet to a higher-level correlation server. 
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35. (Previously presented) The computer program product of claim 34, wherein the first 
mathematical operation and the second mathematical operation are each one of addition, 
arithmetic mean» and geometric mean. 

36. (Currently amended) The computer program product of claim 34, further comprising 
instructions for o resenting to an operator each group that has a respective severity value in the 
new severity packet that is greater than a respective threshold, 

37. (Currently amended) A data proces sing system for reporting security events, comprising: 
Tho data prooocoing oyatom of oloim 31, further oompriaing t 

a first bus system: 
a first memory: 

a first processing unit connected as a first correlation server in a hierarchy of correlation 

servers, wherein the first processing unit includes at least one processor: and 
a first set of instructions within the first memory, 
a second bus system; 
a second memory; 

a second set of instructions within the second memory; and 

a second processing unit connected as the higher-level correlation server; 

wherein the first processing unit executes the first set of instruction s to perform the acts 

ioesring events bv storing event attributes as a n event set, yyherein each event set 
includes a source attribute, a target attribute and an event ca tegory attribute: 

classifying events as groups bv ap:fn-egatinfi events with at le ast one attribute 
within the event set as an identical value: 

calculating a severity level for each of the groups: 

gfilculatin g a delta severity for each group fi:om the respective severity level and a 

prior severity level: arid ^^^s*^^^^^^^?!?^^ 

for each group having a non-zero delta severity, propagating the delta severity to 
a higher-level correlation server: 
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wherein the second processing unit executes the second set of instructions to perform the 

• acts of: 

receiving, &x)m the first correlation server and a third correlation server, a first 
delta packet and a second delta packet, wherein said first delta packet contains the 
respective delta severity for each group of the first correlation server that has a non-zero 
delta severity and the second delta packet contains a respective delta severity for each 
group of the third correlation server that has a non-zero delta severity; 

perfonning a firat mathematical operation on the first delta packet and the second 
delta packet to form a new delta packet; 

if the data processing system is the top level of a hierarchy of servers, performing 
a second mathematical operation on the new delta packet and a stored severity packet to 
form a new severity packet; and 

if the data processing system is not the top level of a hierarchy of servers^ 
propagating the new delta packet to a higher-level correlation server. 

38. (Previously presented) The computer program product of claim 37, wherein the first 
mathematical operation and the second mathematical operation are each one of addition, 
arithmetic mean, and geometric mean. 

3 9. (Previously presented) The computer program product of claim 37, ftirther comprising 
prcsentmg to an operator each group which has a respective severity value in the new severity 
packet that is greater than a respective threshold. 
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